Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)
From: "Daniel Kachakil" <dani () kachakil com>
Date: Sun, 8 Feb 2009 14:28:27 +0100

Dear Paul:

Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi 
"injection technique/method" (is there a better name for it?) will not help 
you to extract more data than other existing techniques.

The XMLSCHEMA option is only an alternative way to get the column names 
(instead of using SYSOBJECTS, for instance). Maybe it can also bypass some 
basic filters (e.g. there is no need to use the WHERE clause), but this is 

The main difference is this:
- Time-based SQL injection:  1 request -> 1/2 char using Deep Blind (but 
very slowly)
- Blind SQL injection:  1 request -> 1/7 char
- Union / error-based SQL injection:  1 request -> 1 field
- SFX-SQL injection:  1 request -> 1 table

So yes, this technique will extract the same data, but thousands of times 
faster than other methods.

  Daniel Kachakil
From: "Paul Schmehl" <pschmehl_lists () tx rr com>
Sent: Sunday, February 08, 2009 5:10 AM
To: <full-disclosure () lists grok org uk>
Cc: "Daniel Kachakil" <dani () kachakil com>
Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for 
SQL     Server (dumps a table in one request!)

--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil 
<dani () kachakil com> wrote:

I have written a paper describing how the technique works and in which
fundamentals it is based, and I have also developed a tool which
this technique as a proof of concept (with the source code included).

You can get them through this URL:


Having read your paper, I'm a bit confused about what you think the "new 
SQL injection technique" is that you've discovered.  I understand you have 
determined a way to *extract* data in a more compact and efficient format, 
but I didn't see any new *injection* technique.  IOW, the FOR XML 
construct isn't going to assist you in obtaining the data - only in 
obtaining it more efficiently.

Did I miss something?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]